Crypto Miners May Be the ‘New Payload of Choice’ for Attackers

Ransomware has been a favorite and time-tested tool for cybercriminals, but the rise of cryptocurrency has given them a broad new target with key strategic advantages, leading to a sharp uptick in crypto mining botnets, researchers at Cisco Talos say.

Attackers “are beginning to recognize that they can realize all the financial upside of previous attacks, like ransomware, without needing to actually engage the victim and without the extraneous law enforcement attention that comes with ransomware attacks,” Talos researchers write in a new report.

One prominent example of a cryptocurrency mining botnet is Smominru, which has made as much as $3.6 million since May mining Monero, researchers at Proofpoint say.

Monero has emerged as a favorite among mining botnet creators, and an average-sized system comprised of about 2,000 victims could mine about $200,000 worth of Monero per year, according to Talos’s report.

Mining cryptocurrency of any type is a compute-intensive process, making the prospect of stealing CPU cycles from other machines, rather than make the large upfront investment in infrastructure and ongoing one in electricity costs a tempting one for criminals.

These botnets typically use pool-based mining, which pulls together the computing resources of all the infected systems. “This is similar to launching DDoS attacks “where 100,000 machines flooding a target with bogus traffic becomes much more effective compared to a single system under the attacker’s control,” Talos says.

But in sharp contrast to DDoS attacks, the goal of a successful crypto botnet is to remain undetected, allowing it to run for months or even years, generating cash for its owners all the while.

To that end, attackers are learning and adapting as time goes on, specifying parameters aimed at hiding the botnet malwares on infected systems. For example, limits can be put on CPU usage and system temperature. “If the mining software is executed without these options, victims might notice significant performance degradation on their systems,” Talos’s researchers write.

Mining software is typically being distributed via spam emails that contain attachments such as malicious Word documents. Talos found an example from late 2017 that used a job application spoof.

Attackers are also using exploits to take advantage of vulnerabilities. One high-profile example came in December when hackers exploited vulnerabilities in Oracle WebLogic and PeopleSoft systems to install Monero miners, generating more than $200,000 before being discovered.

Another reason mining botnets are coming into favor is that they’re the “polar opposite” of ransomware from a management perspective, since once systems are infected there is no command-and-control activity involved, Talos adds.

None of this is to say that ransomware is going away, as it will remain effective for more targeted attacks, “but as a payload to compromise random victims, its reach definitely has limits,” they wrote. “Crypto miners may well be the new payload of choice for adversaries. It has been and will always be about money and crypto mining is an effective way to generate revenue.”